Expiring passwords every x amount of days with a forced change 10 days to expy?

Writing a new feature for Ca开发者_如何学编程kePHP 1.3, I want passwords to expire after x amount of days and at y days till expiration automatically change the password to a random string and email the user a new password or a login link. Is a crontab on the server the correct way? Or what about securich?

cronjobs and securich are two very different things. The first one starts processes in defined intervals, or at given times. The second one seems to be a tool to manage the user privileges of a mysql-server. Obviously the second one doesn't help you very much, because it were not the privileges of the server, that concerns you, but the passwords (etc) inside the database.

You can use a cron job for the clean up. This means, that you start a script in an interval of (lets say) 1 day, that goes through your user tables and does, what needs to be done. If the last password change were before x days send an email, if the last password change were before x + y days change the password and email the new one. Thus you need a new column last_password_change_date or something and the script needs to know, what x and y is.

I'd definitely set this up as a PHP script ran daily with a cronjob.

Keep track of the date since password last reset (for each user) in your database and this should be rather simple to develop.

Typically web applications do not use user supplied authentication tokens for authenticating connections to the database (securich is all about managing auth tokens / privileges in the database). And what your code does (manipulating auth tokens) is something completely different from how it is invoked.

So just looking at the problem of invoking the operation....

There are lots of tools available for scheduling programs. cron and at usually come as standard on a Unix/Linux/POSIX system - so they are therefore a sensible tool for the job. But do invoke the CLI PHP interpreter to run the code - do not try to invoke the job as a web page (at least not directly) - web pages are not intended for invoking long running processes.

But why not just force the user to change their password when they've not logged in for a while?

(I'd also argue with the practice of forcing users to change their passwords, and particularly with the practice of changing the password for them and sending out the new password or a substitute token via email).